Data Processor
An entity that processes personal data on behalf of a Data Fiduciary — similar to a GDPR 'Processor', but with fewer direct statutory obligations under the DPDP Act.
Full Definition
Section 2(n) of the DPDP Act 2023 defines 'Data Processor' as any person who processes personal data on behalf of a Data Fiduciary. Classic examples: a cloud hosting provider, a payroll processing company, a third-party analytics vendor, or a call centre handling customer data for a bank. A critical distinction from GDPR: under the DPDP Act, Data Processors' obligations are largely derivative of the Data Fiduciary's instructions — the Act does not impose the same direct statutory obligations on Processors that GDPR does. Under GDPR, Processors are directly regulated (Articles 28, 32) and share liability for breaches. Under the DPDP Act, the primary regulatory burden falls on the Data Fiduciary, who is responsible for ensuring Processors comply through contractual arrangements.
In Indian Law
DPDP Act 2023, Section 2(n). The Data Fiduciary remains primarily responsible for compliance — including in respect of acts of Data Processors (Section 8(2)). Contracts between Fiduciaries and Processors are the primary governance mechanism under the DPDP Act, unlike GDPR which mandates specific contract terms (Article 28 DPA). This lighter-touch approach to Processors was a deliberate policy choice reflecting India's large IT services industry.
Related Legal Sections
Frequently Asked Questions
Is an IT company that processes data for its clients a Data Processor or a Data Fiduciary?
If the IT company processes data purely on the client's instructions and does not determine the purpose or means of processing, it is a Data Processor. If it decides how or why data is processed (for example, a SaaS company that determines its own processing logic), it is a Data Fiduciary — or potentially both.